A Tale of Two Data Breaches – Under Armour and Panera Bread

In the last weeks, two notable data breaches have been making headlines. Both of those affected U.S. companies. One impacting the company Under Armour and the other Panera Bread. The approach taken by those companies to mitigate the threat to consumers could not have been more different. One is a lesson on best practice and the other is a cautionary tale on how not to handle malicious attacks aimed at seizing consumer data.

Let us first examine the case of Under Armour and how their reaction to a data breach is an object lesson on how to handle an attack of this type.

In a society that is increasingly under threat from the lure of the latest fast food deals and convenience foods the last thing that consumers need is to be told that their efforts to lead a healthier lifestyle may now subject them to threats from hackers who are gaining access to the electronic devices they use to maintain their health. But this is just what happened when 150 million users of the fitness app supplied by Under Armour were alerted to the fact that their personal information that was lodged in their ‘MyFitnessPal accounts’ had been pilfered.

A spokesperson announced in late March that Under Armour became aware that the data breach of the fitness tracking app (that can track heart rates, as well as help users in losing weight and achieving fitness goals), had occurred during February of 2018 and ‘an unauthorized party acquired data associated with MyFitnessPal user accounts.’

Before you continue reading, how about a follow on LinkedIn?

Under Armour fitness app privacy best practice

Under Armour may have reacted quickly (in relative terms) to the breach. Its internal security mechanisms and firewalls separating sensitive information from less sensitive data prevented a far more wide-reaching impact on users of its fitness app. In this case, the company has stated that the data did not include any Social Security numbers, driver license numbers or any other government-issued identifiers. Under Armour also said payment card information was not collected.

The Baltimore, Maryland-based company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident, according to an Under Armour press release.

Security Expert at Forrester, Jeff Pollard said that while the breach affected a large number of accounts, “Under Armour is showing it learned some lessons from companies breached in recent months by notifying its customers rapidly after discovering the intrusion.”

However, the company has yet to clarify whether “other personal details – such as eating habits, photos, GPS location, and other fitness-related information – was included in the breach, and if included, whether that data was also encrypted or masked in some fashion,” which is of concern to users “and rightfully so,” said Pollard. “Fitness trackers and apps like MyFitnessPal are fantastic tools that help people, but users must also be aware of the fact that these devices and apps act as ‘opt-in surveillance.’ Anyone with access to what the app collects also has access to your location, habits, and preferences – and in this case, that is now an attacker.”

Within a week of Under Armour becoming aware of the issue, the company said it started to notify members of the MyFitnessPal community via email and in-app messaging. It also took proactive steps to address the vulnerabilities of its systems – other companies have not been so quick off the mark when they have suffered a data breach.

“Under Armour is working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities,” the recent press release stated. “The investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.”

Praise for Under Armour’s approach to data breach

Terry Ray, CTO of Imperva also praised Under Armour for its response to the data breach. “Most consumers are becoming a bit desensitized to data breaches, which have become common enough to barely make the news. And if one breach makes news, there are ten that don’t.

“First, in this case, it’s good that Under Armour detected the breach at all. Many companies fail that first most important step. Second, they at least used bcrypt for the passwords, which is considered considerably more compute intensive than sha-1.”

James Lerud, head of Verodin’s Behavioral Research Team added “Praising a company after a breach is difficult, but we should give Under Armour credit for keeping payment information separate from profile information.”

But still some concerns about data breach

But the praise of the CTO of Imperva was tempered with some reservations.

“Unfortunately, using only sha-1 for usernames and email addresses is a problem. For one, there are billions of already decrypted sha-1 hashes freely available on the web – and cracking a new one doesn’t take too much effort. [But at least] Under Armour took the appropriate steps to instruct users to change their passwords both on their site as well as any other site that uses those same usernames or email addresses.”

The concerns from Imperva were also echoed in comments by Gabriel Gumbs, Vice President of Product Strategy for STEALTHbits Technologies – although his comments were more about how much more serious the implications for Under Armour might have been if the regulations enforced by GDPR were in place today.

“It’s a privacy violation that might have gotten Under Armour in hot water if the General Data Protection Regulation (GDPR) was in effect today,” said Gumbs “Under Armour claims that no government-issued identifiers [such as social security numbers] were exposed in this breach. If this breach occurred 57 days from today, when GDPR enforcement begins, the EU’s Information Commissioner’s Office would draw no distinction as to whether the identifying data was government-issued or not.”

The commissioner likely would have put Under Armour under the microscope. “Because of the way GDPR defines identifiable information, there is possibly other information in this breach that would also run afoul of GDPR without having to be government-issued,” said Gumbs. “For example, if the MyFitnessPal mobile app collected a phones IMEI number that too would be identifiable data.”

He warned that “companies really should be in full sprint to ensure they are prepared for GDPR.”

Why are fitness apps at risk?

Tim Erlin, VP, Product Management and Strategy at Tripwire, said “You might not think about the information you submit to fitness applications as sensitive, but if you’re using the same password for other, more valuable applications, then the risk is really much more serious. Reusing passwords across multiple services and applications increases the risk of compromise.

“If you’re using MyFitnessPal, it’s time to change your password. If that password is being used for other apps or services, change those too.

“An application’s popularity is a good indication of how attractive a target it makes for cyber attackers. The more data available, the more an attacker has to gain. It’s very difficult for users to get a clear picture of what data they’ve shared, and how it might be at risk.”

Proactive partnership between consumers and business required to combat data breach

Erlin sums up the situation perfectly when it comes to consumer responsibility. “I couldn’t agree more with the need for users to change their passwords to something difficult to crack. There are plenty of resources online that will help you create an effective password. Anytime a leak of usernames or email addresses is made available anti-fraud technologies monitoring fraudulent logins and failed logins see major spikes with large login attempts using known passwords and large password dictionaries.”

However, this does not absolve companies of segregating sensitive data, continually updating their systems and ensuring that all available updates are rolled out timeously. It is becoming increasingly obvious that security and privacy should be treated as a partnership between consumers who own their data and those in companies that are custodians of that data – no matter how temporary that custodianship should be. If this does not occur, more and more serious data breach incidents are inevitable.

Panic at Panera Bread – How a data breach should not be handled

Now there is Panera Bread. In contrast to the professional manner in which Under Armour handled their data breach, Panera Bread dithered to such an extent that it beggars belief. Their handling of a cybersecurity breach that left customers names, email details, physical addresses, dietary preferences and loyalty card numbers – and even the last four digits of their payment cards open for months is a masterclass in how a cybersecurity breach should not be handled.

A security consultant named Dylan Houlihan, founder of Breaking Bits, a New York-based digital security firm, discovered the exposed data (which included his own) in August of 2017. He then reported the fact to Mike Gustavison, Panera Bread’s Information Security Director, alerting him to the existence of this vulnerability. He fully expected that the management at Panera Bread would fix the weaknesses in Panera Bread’s online systems. He was wrong. The company ignored the issue for months. Frustrated, Houlihan then made his findings public by supplying the information to high-profile security writer Brian Krebs, who published a post about the breach on his blog, KrebsOnSecurity.

The post went viral.

Panera Bread went into damage control mode and claimed that a fix had been applied. It shut down its website and issued a statement that “it takes data security very seriously.” However – it did not address the fact that senior security management had been aware of the issue for months. To add insult to injury, the fix was anything but effective. A simple log in would allow access to the same data that had been under threat all that time. The site was simply broken. Hackers could access the data from a variety of endpoints – for instance catering.panerabread.com.

Then Panera Bread started to spin the story – saying to Fox News that the breach had affected less than 10,000 customers. Krebs disagreed. His research indicated that the weakness had exposed the data of around 37 MILLION customers.

In the words of Houlihan “It’s easy to bully Panera Bread for this, but in my opinion we need to take Panera Bread’s actions as symptomatic of a much larger issue with security reporting and compliance. This is not a problem unique to any particular type of company. This has happened before and it will continue to happen.”

“I’m not going to stand for reporting that sweeps all of this under the rug,” he wrote. “The ‘resolution’ didn’t resolve anything.”

So what could Panera Bread have done differently?

The short answer is everything. The missteps by the company are myriad – and it is especially galling given the fact that they had a dedicated senior resource responsible for cybersecurity.

Data breach – What to do

There are a number of issues that Panera Bread should have addressed.

There should have been dedicated web page for those who want to report security issues. This should not be a function of normal customers support. Microsoft has one, as does Google. Ignoring this is the start of a slow, but steady descent into crisis mode. Researchers should not have to search for the correct contact – they need to be able to find that person in the blink of an eye.

Don’t shoot the messenger. When Houlihan reported the issue and eventually heard from the person responsible for cybersecurity he was accused of being a scam artist. If the results were not so serious it would seem comedic. Houlihan had to feverishly search through social media accounts in order to find the correct person to report a security vulnerability. That is simply bad business practice. Then, despite numerous emails to the management of Panera Bread, he was simply ignored.

Eventually a response did reach him. Six days after his initial communication Panera Bread’s security lead replied: “Thank you for the information we are working on a resolution.”

There’s a saying in public relations – tell the truth, tell it well and tell it fast. The days of spin are over. In this day and age of dubious ‘fake news’ a company has the rock hard, granite responsibility to its shareholders to tell the truth and address the problem promptly. For Panera Bread to dither for months is simply inexcusable.

Willy Leichter, Vice President of Marketing at Virsec commented, “Once again we see a large organization not taking security seriously enough, not reacting immediately when notified of a possible leak, and not promptly notifying customers that there data was exposed. Ongoing events like this will only heighten calls for a national standard on breach notification laws.”

It took 8 months for Panera Bread to apply what was in essence a band aid to a gaping wound in the company’s cybersecurity.

Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks, explained some of the vulnerabilities that led to the data breach, and how to avoid it:

“This kind of programming mistake is much more common than you would think. We highly advise website owners to perform penetration testing of their websites to identify these types of vulnerabilities as early as possible.

“In the case of Panerabread.com, the site had an open API that anyone on the internet could query and did not require any type of authentication. This information that was accessed (such as dietary preferences and the last digits of a credit card number) can be queried if you know the phone number of the customer, which one could easily obtain using a second API.

“According to Hahad, this second API can be queried using a customer ID number to retrieve the username chosen, email address, first and last name, loyalty card number, phone number, full birth date and other options like SMS preferences, corporate customer status, etc. This API was easier to mine because sequential numbers were used as customer IDs.”

Paul Bischoff, Privacy Advocate at Comparitech was even more scathing when it came to Panera Bread’s reaction.

“The Panerabread.com leak is an inexcusable oversight that not only took far too long to fix, but should have never occurred in the first place. Customers’ names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards were accessible for eight months. This was not a sophisticated breach by hackers. The unsecured database of millions of customers could easily be accessed via a web browser, and all the data was available in plain text, meaning thieves wouldn’t even have to both decrypting it.

“This is a good example of why consumers need to be cautious about signing up for loyalty programs and similar promotional membership schemes. It’s very difficult or impossible to know whether a company takes your information security seriously and can competently handle it.”

Data breach fatigue

Travis Smith, Principal Security Researcher at Tripwire commented on the fact that the general public is now becoming so used to the fact that data breaches are so commonplace that they have simply ceased to be concerned.

“Unfortunately, the general public has breach fatigue. It seems like every day there’s another story about a different hack and a different breach of privacy. The reality is that most people will be outraged about this today, but next week they won’t even remember that it happened. Even if there was some sort of litigation, those who were affected can really only count on adding another year of free credit monitoring.

“While this is personally identifiable information, the sad fact is that the only real new piece of information attackers have now is that you like sandwiches. They can correlate that with your healthcare records, credit score, and social media profile to get a more accurate picture of who the real you is.”

Ray summed it up best, “It seems at a minimum, they failed to either believe and test the first finding of this breach in August [2017] and quickly rectified the issue once it went public here in April [2018]. They certainly appear capable of fixing the issue as they did quickly today, so why didn’t it happen in August when they were first alerted?”

Conclusion

The latest disclosure by Facebook around the release of data and the way that data is used is symptomatic of the simple fatigue of the general public. It now seems common that most people have no illusions about privacy. They have surrendered to the idea that if they use a service, such as a social media site their data will be harvested. It is after all in the exhaustive conditions of use of sites like Facebook. Mark Zuckerberg is now on record as saying that he has no doubt that users do not read the terms and conditions when they sign up. Now, this may not be the case with Panera Bread – but their actions have demonstrated the sort of cavalier attitude that cannot continue to be acceptable.

Have a plan. Execute that plan. Do not rush a fix – but don’t sit on your hands hoping the problem will resolve itself. It won’t. And, like that first light snowfall on a mountain peak can cause an avalanche the damage can be catastrophic. Compare Under Armour and Panera Bread and it becomes very clear which approach is best. Fix the problem. Inform consumers. Have the correct person in place to deal with cybersecurity issues.

As an advice to companies, Erlin suggests: “Every publicly disclosed incident is an opportunity for unaffected organizations to consider how they would respond. Don’t just criticize the response; use the incident as a model for how your own organization might respond, and take steps to improve before it’s your name in the headline.”

Perhaps the most telling comment is from Anthony James, chief marketing officer at CipherCloud:

“This breach is not unusual, and mirrors many recent headlines where mis-configurations occur, procedures may be missed, default passwords may still get used, ports will remain open to the internet, and, in this case, serious issues will somehow not be tracked and resolved.

“On a larger scale, can you even imagine that the thousands of alerts pouring into the average security operations center on their SIEM display are properly vetted every day? The moral of the story? Mistakes will be made and eventually they will become disastrous unless they are corrected or the data is protected along its entire lifecycle.

#Databreach response approach by Under Armour and Panera Bread could not have been more different. Click to Tweet

What can others do to ensure that don’t become tomorrow’s headline? Add the necessary security layers to build Zero Trust into the systems automatically – meaning whatever data is being stored/used, expect it will be compromised. Anticipate that people will make mistakes and build out your cyber defense and your security policies to protect from a breach – your overall security will be stronger for it.”

Sarah Meyer is a technology writer for more than 10 years. She writes on public policy issues with a focus on cybersecurity and personal data protection. Sarah has previously worked for large multinational cybersecurity companies in the areas of government relations and public policy engagement.